Source: optee-os Version: 4.10.0-1 Severity: grave Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for optee-os. CVE-2026-40290[0]: | OP-TEE is a Trusted Execution Environment (TEE) designed as | companion to a non-secure Linux kernel running on Arm; Cortex-A | cores using the TrustZone technology. Starting in version 3.16.0 and | prior to 4.11.0, a user-after-free (UAF) race condition exists in | the shared memory teardown logic of FF-A within OP-TEE SPMC/SP | flows. This only applies when OP-TEE is configured as an SPMC for | S-EL0 SPs, that is, with `CFG_SECURE_PARTITION=y`. The function | `sp_mem_remove()`, responsible for freeing entries in | `smem->receivers` and `smem->regions`, fails to acquire the global | `sp_mem_lock` before performing the `free()` operations. | Concurrently, other code paths, such as `sp_mem_get_receiver()`, | iterate over these same lists without holding a lock, or, like | `sp_mem_is_shared()`, iterate while holding the lock but are not | serialized against the unprotected `free()` in `sp_mem_remove()`. | This creates a cross-thread race where a thread iterating the list | can acquire a pointer to an entry (e.g., `struct sp_mem_map_region` | or `struct sp_mem_receiver`), and then another thread calls | `sp_mem_remove()`, freeing the object. When the first thread resumes | and dereferences the pointer, it results in a Use-After-Free | vulnerability. Version 4.11.0 fixes the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-40290 https://www.cve.org/CVERecord?id=CVE-2026-40290 [1] https://github.com/OP-TEE/optee_os/security/advisories/GHSA-332c-xr93-849m Please adjust the affected versions in the BTS as needed. Regards, Salvatore
